Sunday, February 11, 2007

Trivial remote Solaris 0day, disable telnet now.

NOTE: Following link may not we work safe due to cartoon...
http://www.com-winner.com/0day_was_the_case_that_they_gave_me.pdf

Oh jeez, that’s not good. This was posted to Full-Disclosure. Remote root exploit in the Solaris 10/11 telnet daemon. It doesn’t require any skill, any exploit knowledge, and can be scripted for mass attacks. Basically if you pass a “-fusername” as an argument to the –l option you get full access to the OS as the user specified. In my example I do it as bin but it worked for regular users, just not for root. This combined with a reliable local privilege escalation exploit would be devastating. Expect mass scanning and possibly the widespread exploitation of this vulnerability.

And example of the command line is

telnet -l "-fbin" target_address

Please disable telnet on Solaris at this time. The HEV for this will be shipping to ErrataSec customers within the hour.



UPDATE: There seems to be some conflicting reports about this vulnerability working with the root account. This does not work on a default install of Solaris 10. By default a variable is set in /etc/default/login called CONSOLE. If this variable is set then root is not allowed to login from anywhere but the console. Commenting this variable out allows root to login from anywhere and allows this vulnerability to take advantage of the telnet exploit. Below is a pic of my trying it with console set then with console commented out.

7 comments:

Unknown said...

Isn't this nearly identical to the aix/linux rlogin -froot bug from years past (apart from not working for root)? Amazing.

David Maynor said...

It is pretty much the same. It amazes me this bug went unseen for this long.

dre said...

my gosh, such humility! thank you kingcope for this wonderful 0-day exploit!!@#!

it's not the disclosure that is important here, however. it's the message. kcope was definitely trying to say something when he made the subject line "0day was the case that they gave me" on the full-disclosure mailing-list. this is one of those classically good times for full-disclosure without notifying the vendor beforehand.

in my opinion, kcope was trying to tell the vulnerability research community that he thinks the samy indictment was too harsh. in other words, "the charges were incorrectly filed by the prosecution because of cultural differences". it's something akin to the punishment does not fit the crime, but suggests more of a .

if you didn't catch the reference, Snoop Dogg has a song/video/short-film/soundtrack called Murder Was the Case [that they gave me]. assuming that i understand
this article correctly, it appears that Snoop Dogg and Dr. Dre made the movie in response to what was acceptable by the media circa 1994. if you're black and carry a gun - that makes you evil and a murderer - according to the moral majority. Snoop was being charged with murder (IRL) at the time, and pleaded self-defense. His movie-short tried to convey that everyone is a victim when gunplay is a part of everyday life.

it also appears that kcope and samy released their 0days in response to what is acceptable by the security incident response community. if you're a hacker and release a 0day - that makes you evil and a computer-criminal - according to today's moral majority. kcope's vulnerability disclosure is trying to convey that everyone is a victim when mickey-mouse security-bypasses are so prevalent.

Seth said...

You're not a criminal, but don't be a dick -- throw the vendor a frickin' bone over here. No attempt was made to make contact and keep this secret before blowing it out there? Criminal? No. Irresponsible? Yes.

David Maynor said...

We didn't disclose it. It was posted by another person to the full-disclosure mailing list. We were warning people this information is public and to disable telnet.

Jessta said...

The person who released that exploit was right to do so.
It's such a simple exploit that it shouldn't have been there in the first place.

If was given to Sun first and they released a patch then it would have the same impact.

Sun already had their chance to fix them problem when they developed the software, releasing the exploit to the wild gets the users of the software to put more pressure on developers to develop secure code.

Jordan T-H said...

Oh no! Someone released INFORMATION! Now the internet is going to collapse! Silence him before all this INFORMATION leaks out in to the opens!